The final report into the 2008 Qantas flight QF72, which unexpectedly dived twice during a routine flight, has blamed a combination of software and hardware errors for the incident.
On 7 October 2008, the Australian-owned A330-303 aircraft was cruising at 37,000 feet when the autopilot disengaged and the aircraft rose, before …

COMMENTS

Page:

I suggest you go and research the number of safety incidents with autopilot on vs those with autopilot off.

Then come back here and resume your meaningless pontificating if you dare.

You do realise how stastically insignificant this event was don't you but rather than strap the 60 morons in their seats you would rather endanger millions more by not trusting systems that are far less fallible than the meat puppets they replace.

You do realise yours is the same kind of ill informed opinion that make our politicians come up with dozens of knee jerk legislative and executive decisions every year right?

3 incidents in 128 million hours of operation..?

Software "bug" of sorts

So basically - if I'm reading the report correctly - 1 of 3 inputs goes haywire intermittently ... but the software decision tree was expecting a hard fault, not a soft fault and when the device seemed to agree with the other two it but it back on-line only to have it go tits up again?

Averaging different inputs .... now where have we seen that recently?

Probably a human code bug - an unforeseen condition that the coders did not predict. My guess is that they will be burning some midnight oil with code reviews for a while now. Interestingly enough (after the industry accidentally killed a few people) when you write medical software, the first question asked is, "How can this kill someone?" ... reviews of flight code need to be, "How can this crash the plane?" ... not "How can we get the answer right?" - there's a big difference.

@ Joe Cooper

"I suggest you go and research the number of safety incidents with autopilot on vs those with autopilot off."

While, on average, the computer control is safer, you won't find the average human pilot aiming the plane at the ground and thinking its ok.

People say computer control in cars will make them safer as they can override human decision. What about the times where the human decision is the right one? Doing an emergency stop on a busy motorway wont be fun.

@AC

The things is, that is (apparently) exactly what happened with the Air France crash over the Atlantic - the co-pilot actually pointed the plane at the heavens, but the effect was the same as pointing it at the sea.

"reviews of flight code need to be, "How can this crash the plane?"

well... it IS the case, in theory.

The quite old DO-178b standard define 5 levels of dev process, from the "A" level (a failure may lead to a plane crash - Most of embedded software is rated at this level) to the "D" level (no real impact - Usually used for the maintenance software which is allowed to be used only in the hangar - And yes, the bootstrap preventing the use of such software in flight is A-level).

The "E" level is a bit special, as it refer to any non-DO software (quite rare actually. Even In Flight Entertainment softwares are classified as level C or D, as a failure of those will lead to additionnal work for the cabin crew : passengers are usually quite nervous when faced with a BSOD in a plane, i wonder why...)

Practically, due to budget constraint, the software activities are subcontracted by the "stamper" to the "best" (AKA lowest) bidder. The one with the cheap right-out-of-the-school graduate.

RE: AC

"....While, on average, the computer control is safer, you won't find the average human pilot aiming the plane at the ground and thinking its ok....." Unfortunately, the investigation into the crash of Air France Flight 447 showed that unskilled pilots were too reliant on computer aids and were happy to fly their jet into the ground (or the sea in their case), despite other "manual" aids (like the stall warning horn) telling them different. The key to Flight 447's demise was ice-blocked speed sensors, which therefore gave incorrect readings to the computer. This caused the autopilot to disengage as the computer decided it couldn't trust itself, the more-experienced captain pilot was on a rest break, whereupon the inexperienced copilots stalled the jet into the sea. In the Quantas case it seems the passengers were lucky their captain was in charge at the time of the crissis.

This is only because arseholes drive too close to the car in front. If all cars were computer controlled, they wouldn't do that, and a car stopping in an emergency would alert the cars around it. Job's a good 'un.

I only say this because planes have exactly those kinds of system - automatic distance and collision warnings and computer-negotiated advice to the pilots on whether to ascend/descend/change underwear.

99% of the time the computer can fly the plane just dandy, but you should always have a meatsack ready in case something goes wrong. Duh.

Pilot - or not

It's a well-known fact amongst pilots that there are two seats in an airliner cockpit for a specific reason; one for the pilot, and the other for his dog. The pilot is there to feed the dog, and the dog is there to stop the pilot getting anywhere close to the controls!

"While, on average, the computer control is safer, you won't find the average human pilot aiming the plane at the ground and thinking its ok."

Except they do:

http://en.wikipedia.org/wiki/Spatial_disorientation

http://en.wikipedia.org/wiki/Sensory_illusions_in_aviation

http://www.avmed.in/2011/04/spatial-disorientation-an-introduction/

The bottom line is that there is no single right answer; there are times when the computer control will malfunction, but so far those have been rather a lot less than those incidents where the human pilot has "malfunctioned".

Inexperienced Humans

The problem is that the system is back-to-front. Far better to have the humans flying and the computers monitoring for errors than the other way around. Human nature being what it is, the pilots get to trust the automatics and lose valuable time in the rare event that something bad happens. With a lot of airline SOPs dictating that automatics should be used as much as possible, they also don't get practice at proper flying and, as was demonstrated by the Air France transcripts covered by El Reg recently, you end up with a pilot who actually can't fly the aircraft without help from the computers.

While I do agree in principle with the Honorouble Anonymous Coward that:

"While, on average, the computer control is safer, you won't find the average human pilot aiming the plane at the ground and thinking its ok."

I also wish to point out that, statistically, you may find more instances of people in control of the aircraft who, for various reasons, or no reasons, have decided to point the nose of the aircraft, if not to the ground, then towards other impactable objects.

Basic Airmanship

Matt, basic airmanship is to ensure the plane will fly. Pointing the nose at the sky, even with full power is not the way to do this. By flying at sensible attitude with sensible power should ensure the plane flies. Watch the altitude and you can get an idea if you've got it about right with the rate of sink or rise. Now the 'pilot' never knew that the idiot 'flying' the plane had the stick back due to averaging feedback. Good design ? **NOT** ! The deep stall that resulted is easy to understand. The pilots never understood this until too late. I am truly puzzled as to why. Training issue ?

Now back to the original article, 2 out of 3 voting of inputs should have voted the faulty unit out. Either it was intermittent, or more worryingly to me, another device agreed within tolerances. Starting to prefer Boeing as they let the pilots have control when needed, and certainly the(nose high) stick position would be more obvious.

There is far more need for focus on training over the automation in each plane. Airbus have had their share of issues. The air france crash at the paris airshow in the late 80's was due to both pilot error (rushed unfamiliar manouvre) and the avionics (switching to landing mode without sufficient pilot warning).

Enough to say FAIL. Hope this encourages the whole industry to look at the cockpit automation issue. It is supposed to increase safety. I ask is it ?

Last Dave

Out of which cavern have you come ? Please, when you do not know what you are talking about, please, shut up. The crash of the Air France flight over the Atlantic, aka AF447 was due to the pilots, not the aircraft - despite the fact that some equipment was not functionning 100%.

The aircraft stalled, was losing altitude, yet the pilots kept pulling the joystick iso pushing it to gain lift. The auto-pilot was not engaged during the time of the incident ... so yes, you are right, they were pulling the joystick and were going downwards ... all because they had no lift ... pilots were idiots like you, I guess !

Is that a WinXP license sticker on the black box?

Seriously chaps, good work. Tell the machine who's boss. Humans have even higher redundancy than 3 built-in, but are slower. Sometimes it's advantageous. Additionally, good design that is both highly automated and allows manual overrides that make sense.

Also passengers: Keep your seatbelt on, if only for insurance claims - should you survive.

In (possibly) before claims

Well duh...

"It’s not clear what caused the ADIRU to shift into failure mode, as this is only the third time that it has happened in over 128 million hours of operation – although one of those other incidents was down to the same ADIRU in that aircraft."

That was my thought.

If units fail that rarely, it may be in the best interest of both the passengers and the company to simply replace the unit with a new one.

If we start with the assumption that a repaired unit has the same integrity as a new unit, the chances of a unit failing twice is very slim. If it does fail twice, then statistically, either the unit is bad, or the computer reading it is bad (it may come down to bad shielding around that 'slot').

Since intermittent failures are nearly impossible to diagnose in some cases, I think it would be safer to replace the device altogether, rather than continue to fly with it. Intermittent faults are annoying when it involves an X-Box or a cell phone, but on an aircraft? Just junk it, and get a new one.

RE: Just junk it, and get a new one.

If it fails, or is suspected of failing, just once then I'd be up for swapping that unit out for a new one. After all, it's a simple bolt-on box, it's not as if you would have to tear the plane apart to replace it.

Waiting for a unit to fail again amounts to gambling in my book. Someone in the supply chain was thinking "profit" before "danger" with that earlier decision.

RE: That was my thought.

Two problems with just swapping the unit - firstly, you're not definately curing the problem; and secondly, the beancounters.

You are not curing the problem as you have not confirmed the unit is the definate cause of the problem. As mentioned, it could be shielding around the slot it plugs into, or an intermittant short or earth in the loom connecting the unit to the main system. To find the actual cause would involve a lot more testing of all the variables (like running the suspect unit in other slots to see if the problem moves with the unit or affects a "good" unit in the same slot).

Unfortunately, the beancounters are also not going to allow you to find the real cause. If you ask to remove the unit, the beancounters will simply say "no, it's expensive, if it passes diagnostics then slap it back in". If you ask for more time to find the real cause of the problem then the beancounters will point out the aircraft is needed to meet flight schedules. At the end of the day, we need more control for the authorities to step in and say that if an aircraft has a serious issue inflight, it is grounded until the definitive cause is found and fixed. If the definitive cause cannot be found, ALL possible items that could have been at fault have to be replaced (eg, AIRDUS, slot and loom).

Mmmh...

The usual procedure for such failure is a return to the supplier, for extended analysis and tries to reproduce the problem. Don't forget that "software issues" will be applicable to ALL the equipment of the same model...

No one on the supply chain was thinking "profit", the unit was probably already returned, and the problem could not be reproduced - hence could not be fixed. It happens most of the time...

And as the price of such units is quite hefty (High dev costs and low volumes usually have this kind of effect), the decision to trash the unit is rarely an option. The worst cas for reluctant hardware is to end their life as "not for flight" bench bitch.

I have been an avionics technician in the Air Force (US) and for a commercial airline. I have never ran into a condition where I couldn't R&R a black box for any reason other than that a replacement box wasn't available. Intermittent problems are a BITCH for a couple of reasons; one has already been mentioned, it might not be the box that is causing the problem; another is that when a box with an intermittent problem goes in for repair, the chances are very good that no trouble will be found with the box; firmware might be upgraded, mods might be applied, it will be tested, cleaned, and put back in stock. The biggest problem in cases like in this article, with intermittent problems that occur very rarely, you have no idea if the new box fixed the problem.

VLF submarine communications station

Just outside of Learmonth 6 km from Exemouth is a high powered VLF submarine communications station (Naval Communication Station Harold E. Holt). I've seen the aerial farm and it is huge. It is extremely interesting that the aircraft was flight over it at the time of the failure.

They stated that it didn't appear that any passengers were using any electronic equipment but you have to wonder about interference from the communication station.

I hear all of the arguments about replacing this box, including "bean counters". However bean counters usually get persuaded by arguments involving loss of life and planes falling out of the sky - tends to be a bit more costly when that happens. I cannot imagine a bean counter saying no if his future depended upon making sure the airline was robustly protected against serious outages.

Connection issues: Really? Sounds pretty doubtful to me if the connectivity relies upon simple pressure fittings between components. I would expect every connection within and without the box to be clamped, with no margin for "iffy" connections.

With regard to swap-out, given the cost of these devices I would reasonably expect both the airline and the supplier to have worked out a support option on the contract which provides a hot-swap on demand. Presumably the original supply contract was for a few dozen units - and I would reasonably expect any competent supplier to add a few more to the quantity for build purposes.

And as for identifying which unit - a possible contender obviously, however under the circumstances I'd be up for swapping everything which could have played a part. As a hardware engineer (not with avionics) I have been in the situation where I swapped everything which could have been a cause. I never had a problem with a bean-counter declaring I had gone overboard, I was the on-site guy with responsibility for keeping the customer working and what I said was never questioned. Okay, most times I didn't swap everything, but it was always an option.

Re:Airbus apologists unite

Hah! Made it!

I'd point out that the claim isn't and never has been that the Airbus A330's fly-by-wire system never screws up, but only a gibbering twat would actually need that explained, and there's certainly none of those around here, are there?

RE: Airbus apologists unite!

"it's time for all the "Air France pilots were inadequately trained" people...." An amazing display of ignorance and prejudice. The investigation showed that the Flight 447 flight computer was stymied by frozen speed sensors and so switched off the autopilot. It was then the inexperienced copilot that stalled the jet into the sea after taking manual control.

@AC

I think you'll find that most people here thought that it was combination of the two - AF447 was the victim of some rather silly decisions regarding the control of the plane, made worse by two loons that shouldn't have been let loose with a child's kite.

Please keep your seatbelt on....

"Around 60 people were flying without their seatbelts fastened, despite being warned not to do so, and many were slightly or seriously injured after being thrown into the ceiling or side panels of the aircraft."

So of the 110 or so people injured, half of those were because some "free spirit" suddenly decided to occupy the same body space? Because they didn't want any restrictions on their freedom to move?

Not all of the others would be injured by flying bodies; some number were probably in the bathroom, waiting for the bathroom, going to/from the bathroom; some were at a galley getting another drink or flirting with a stew, and a mother may have been walking her child down the aisle.

Or...

It's an aluminium tube blasting through the sky at hundreds of miles an hour. What good would a loosely-adjusted lap belt possibly do.

I'd tend to suggest that thouse seatbelts are more there to stop panicky people jumping up and running around or provide some misguided reassurance, than any strong intrinsic safety properties. Three, four or five point harnesses for that job, methinks.

Told ya so...

Airbus aircraft are too often brought down by software bugs (a.k.a. "pilot training" [sic]), with the aircraft structure being in perfect mechnical condition in the millisecond before impact. If they could "...Just....Pull-up...", then the aircraft would need nothing more than a software fix and the seats cleaned.

Boeing aircraft are often already heavily damaged on the way down. Even if they landed in a mile-high pile of peacock feathers, they'd still require major structural repairs.

Those that deny this observation about the too common distinction in the two major brands are doing a disservice to the safety of aircraft in general.

Yes, there are always exceptions. This is a 60/40 (or perhaps even 70/30) percentage thing.

Do you work for Boeing, or are you just another anti-European Yank twit? If you actually knew anything about the subject, you'd know that modern Boeing aircraft are as full of software & fancy electronics as modern Airbus craft. To describe you as a muppet is an insult to muppets.

Two words....

Boeing and Airbus have different philosophies re human control

I don't recall the details and I'm too lazy to look it up, but I have read articles about the different philosophies embedded in the two companies' design rules. If I recall correctly, Boeing essentially trusts the pilots more than Airbus - the pilot is the final authority. He/she has the ability to override (some/all?) controls in ways that _might_ damage the aircraft, but also as a result has more ability to force the airplane to do what's necessary when the automated systems are screwing up. It supposedly goes back to Boeing's military heritage, where getting your own ass home might be more important than preventing the wings from being bent. (Many WWII fighter planes had a 'war emergency' power setting, which provided another boost of horsepower from the engines, but required an engine rebuild as soon as you got back to base.)

In summary, it's about who/what is the final authority - the pilot or the computer. I can't say definitively which is the best approach, but I'm inclined to go with the pilot most of the time - but this does demand that the pilot know enough to be trusted with that authority.